<div dir="ltr">Thanks Paul.<div><br></div><div>Since this was my first post, I should be posting more details, but finally I got it working after posting on the mailing list</div><div>My setup -> IPSEC L2TP/ PSK, so it doesn't need narrowing. </div><div>For the server side I used the post <a href="https://github.com/hwdsl2/setup-ipsec-vpn">https://github.com/hwdsl2/setup-ipsec-vpn</a> which automates the setup for AWS, this is a great post for a newbie which does all setup and gives u the PSK/Username/Password and IP to connect. </div><div><br></div><div>Mistake I did was while starting and adding the connection I was suing the openswan steps, right steps that I used are:</div><div><span id="gmail-docs-internal-guid-02f01904-5c7f-bf4f-3870-b268b04a485e"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">1)</span><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:700;vertical-align:baseline;white-space:pre-wrap">ADD connection</span><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"> </span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;margin-left:36pt"><span style="font-size:9pt;font-family:Consolas;color:rgb(102,102,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">~</span><span style="font-size:9pt;font-family:Consolas;color:rgb(136,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"># ipsec addconn myvpn</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;margin-left:36pt"><span style="font-size:9pt;font-family:Consolas;color:rgb(0,102,102);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">002</span><span style="font-size:9pt;font-family:Consolas;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"> </span><span style="font-size:9pt;font-family:Consolas;color:rgb(0,136,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">"myvpn"</span><span style="font-size:9pt;font-family:Consolas;color:rgb(102,102,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">:</span><span style="font-size:9pt;font-family:Consolas;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"> deleting non</span><span style="font-size:9pt;font-family:Consolas;color:rgb(102,102,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">-</span><span style="font-size:9pt;font-family:Consolas;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">instance connection</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;margin-left:36pt"><span style="font-size:9pt;font-family:Consolas;color:rgb(0,102,102);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">002</span><span style="font-size:9pt;font-family:Consolas;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"> added connection description </span><span style="font-size:9pt;font-family:Consolas;color:rgb(0,136,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">"myvpn"</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:700;vertical-align:baseline;white-space:pre-wrap">2) Restart the ipsec and xl2tp connection</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-size:9pt;font-family:Consolas;color:rgb(102,102,0);vertical-align:baseline;white-space:pre-wrap">:~</span><span style="background-color:transparent;font-size:9pt;font-family:Consolas;color:rgb(136,0,0);vertical-align:baseline;white-space:pre-wrap"># /etc/init.d/ipsec restart</span><br></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:9pt;font-family:Consolas;color:rgb(102,102,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">[</span><span style="font-size:9pt;font-family:Consolas;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"> ok </span><span style="font-size:9pt;font-family:Consolas;color:rgb(102,102,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">]</span><span style="font-size:9pt;font-family:Consolas;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"> </span><span style="font-size:9pt;font-family:Consolas;color:rgb(102,0,102);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Restarting</span><span style="font-size:9pt;font-family:Consolas;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"> ipsec </span><span style="font-size:9pt;font-family:Consolas;color:rgb(102,102,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">(</span><span style="font-size:9pt;font-family:Consolas;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">via systemctl</span><span style="font-size:9pt;font-family:Consolas;color:rgb(102,102,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">):</span><span style="font-size:9pt;font-family:Consolas;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"> ipsec</span><span style="font-size:9pt;font-family:Consolas;color:rgb(102,102,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">.</span><span style="font-size:9pt;font-family:Consolas;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">service.</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:9pt;font-family:Consolas;color:rgb(136,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"># /etc/init.d/xl2tpd restart</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:9pt;font-family:Consolas;color:rgb(102,102,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">[</span><span style="font-size:9pt;font-family:Consolas;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"> ok </span><span style="font-size:9pt;font-family:Consolas;color:rgb(102,102,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">]</span><span style="font-size:9pt;font-family:Consolas;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"> </span><span style="font-size:9pt;font-family:Consolas;color:rgb(102,0,102);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Restarting</span><span style="font-size:9pt;font-family:Consolas;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"> xl2tpd </span><span style="font-size:9pt;font-family:Consolas;color:rgb(102,102,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">(</span><span style="font-size:9pt;font-family:Consolas;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">via systemctl</span><span style="font-size:9pt;font-family:Consolas;color:rgb(102,102,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">):</span><span style="font-size:9pt;font-family:Consolas;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"> xl2tpd</span><span style="font-size:9pt;font-family:Consolas;color:rgb(102,102,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">.</span><span style="font-size:9pt;font-family:Consolas;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">service.</span></p><br></span></div><div><span id="gmail-docs-internal-guid-02f01904-5c80-c7f0-e66b-76b16cd422e3"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:700;vertical-align:baseline;white-space:pre-wrap">3) Start the IPSEC L2TP -PSK connection</span><span style="font-size:9pt;font-family:Consolas;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"> </span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:9pt;font-family:Consolas;color:rgb(136,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"># ipsec auto --start myvpn</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:9pt;font-family:Consolas;color:rgb(136,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">4) </span><span style="background-color:transparent;color:rgb(0,0,0);font-family:Arial;font-size:11pt;white-space:pre-wrap"> Now we have to add adaptor using xl2tp for PPP to be up and you get an IP</span></p></span><span id="gmail-docs-internal-guid-02f01904-5c81-7c5e-25b2-6a90c81ea3de"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:9pt;font-family:Consolas;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">echo </span><span style="font-size:9pt;font-family:Consolas;color:rgb(0,136,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">"c myvpn"</span><span style="font-size:9pt;font-family:Consolas;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"> </span><span style="font-size:9pt;font-family:Consolas;color:rgb(102,102,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">></span><span style="font-size:9pt;font-family:Consolas;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"> </span><span style="font-size:9pt;font-family:Consolas;color:rgb(0,136,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">/var/</span><span style="font-size:9pt;font-family:Consolas;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">run</span><span style="font-size:9pt;font-family:Consolas;color:rgb(102,102,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">/</span><span style="font-size:9pt;font-family:Consolas;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">xl2tpd</span><span style="font-size:9pt;font-family:Consolas;color:rgb(102,102,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">/</span><span style="font-size:9pt;font-family:Consolas;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">l2tp</span><span style="font-size:9pt;font-family:Consolas;color:rgb(102,102,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">-</span><span style="font-size:9pt;font-family:Consolas;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">control</span></p>This finally gave me the right PPP with right local IP.</span></div><div><span><br></span></div><div>It would be a great help if wiki is update with both side config and how to start the client side connection. I was referring to your slide deck at </div><div><a href="https://datatracker.ietf.org/meeting/interim-2017-i2nsf-01/materials/slides-interim-2017-i2nsf-01-sessa-ipsec-vpn-deployments-paul-wouters/">https://datatracker.ietf.org/meeting/interim-2017-i2nsf-01/materials/slides-interim-2017-i2nsf-01-sessa-ipsec-vpn-deployments-paul-wouters/</a><br></div><div><br></div><div>Where you mentioned about following, do we have a sample config on both which I could test. I am doing on my embedded ARM gateway with integrated MODEM. </div><div><ul><li>FULL MESH ENCRYPTION<br></li><li>OPPORTUNISTIC IPSEC GATEWAY <br></li></ul><div>PK</div></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Oct 26, 2017 at 7:07 PM, Paul Wouters <span dir="ltr"><<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Thu, 26 Oct 2017, Priyank Kumar wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
HiFirst post, I setup the libreswan on my AWS instance and able to connect to it using my android phone. I couldnt get any tutorial on how to setup on Linux<span class=""><br>
client side, after harvesting the net I tried following configuration. <br>
</span></blockquote>
<br>
Did you setup IPsec/L2TP or IKEv2 or IKEv1 XAUTH (Cisco IPsec) ?<span class=""><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
* My AWS side VPN server works fine with my phone, so I dont suspect that<br>
<br>
Issue 1: if the Linux PC side conf file has narrowing = no, then it gives error "myvpn": cannot initiate connection with narrowing=no and (kind=CK_TEMPLATE)<br>
Issue 2: There is no clear instruction how to start the VPN client, I am using <br>
ipsec auto --up myvpn or ipsec auto --start myvpn (this shows sometime success) <br>
Issue 3: If I do narrowing = yes, it fails by <br>
</blockquote>
<br></span>
Narrowing is only used for the ikev2 configuration.<span class=""><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
# Linux PC (Client side)<br>
/etc/ipsec.d/myvpn.conf<br>
conn myvpn<br>
        left=%defaultroute<br>
        right=<MyServerIP><br>
        narrowing=no<br>
        encapsulation=yes<br>
        authby=secret<br>
        pfs=no<br>
        rekey=no<br>
        keyingtries=5<br>
        dpddelay=30<br>
        dpdtimeout=120<br>
        dpdaction=clear<br>
        ike=3des-sha1,3des-sha2,aes-sh<wbr>a1,aes-sha1;modp1024,aes-sha2,<wbr>aes-sha2;modp1024,aes256-sha2_<wbr>512<br>
        phase2alg=3des-sha1,3des-sha2,<wbr>aes-sha1,aes-sha2,aes256-sha2_<wbr>512<br>
        sha2-truncbug=yes<br>
        auto=add<br>
        leftprotoport=17/1701<br>
        rightprotoport=17/1701<br>
        type=transport<br>
        phase2=esp<br>
</blockquote>
<br></span>
This looks like L2TP/IPsec, so do not use narrowing then.<br>
<br>
Do not use encpasulation= unless you need to override things normally<br>
auto-detected.<div><div class="h5"><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
#AWS VPN server side conf file, this works with Android phone <br>
<br>
cat /etc/ipsec.conf<br>
<br>
version 2.0<br>
<br>
<br>
config setup<br>
<br>
 virtual-private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24,%v4:!192.168.43.0/24" rel="noreferrer" target="_blank">10.0.0.0/<wbr>8,%v4:192.168.0.0/16,%v4:172.1<wbr>6.0.0/12,%v4:!192.168.42.0/24,<wbr>%v4:!192.168.43.0/24</a><br>
<br>
 protostack=netkey<br>
<br>
 nhelpers=0<br>
<br>
 interfaces=%defaultroute<br>
<br>
 uniqueids=no<br>
<br>
<br>
conn shared<br>
<br>
 left=%defaultroute<br>
<br>
 leftid=<ServerIP><br>
<br>
 right=%any<br>
<br>
 encapsulation=yes<br>
<br>
 authby=secret<br>
<br>
 pfs=no<br>
<br>
 rekey=no<br>
<br>
 keyingtries=5<br>
<br>
 dpddelay=30<br>
<br>
 dpdtimeout=120<br>
<br>
 dpdaction=clear<br>
<br>
 ike=3des-sha1,3des-sha2,aes-s<wbr>ha1,aes-sha1;modp1024,aes-sha2<wbr>,aes-sha2;modp1024,aes256-sha2<wbr>_512<br>
<br>
 phase2alg=3des-sha1,3des-sha2<wbr>,aes-sha1,aes-sha2,aes256-sha2<wbr>_512<br>
<br>
 sha2-truncbug=yes<br>
<br>
<br>
conn l2tp-psk<br>
<br>
 auto=add<br>
<br>
 leftprotoport=17/1701<br>
<br>
 rightprotoport=17/%any<br>
<br>
 type=transport<br>
<br>
 phase2=esp<br>
<br>
 also=shared<br>
<br>
<br>
conn xauth-psk<br>
<br>
 auto=add<br>
<br>
 leftsubnet=<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<br>
 rightaddresspool=192.168.43.1<wbr>0-192.168.43.250<br>
<br>
 modecfgdns1=8.8.8.8<br>
<br>
 modecfgdns2=8.8.4.4<br>
<br>
 leftxauthserver=yes<br>
<br>
 rightxauthclient=yes<br>
<br>
 leftmodecfgserver=yes<br>
<br>
 rightmodecfgclient=yes<br>
<br>
 modecfgpull=yes<br>
<br>
 xauthby=file<br>
<br>
 ike-frag=yes<br>
<br>
 ikev2=never<br>
<br>
 cisco-unity=yes<br>
<br>
 also=shared<br>
</blockquote>
<br>
<br></div></div>
You have defined both XAUTH and L2TP/IPsec. I would recommend settling<br>
on one solution. And strongly recommend ditching L2TP since android,<br>
iOS and Linux can do XAUTH/IPsec fine.<br>
<br>
For a client side config of XAUTH/IPsec, basically copy your server side<br>
one. Or look at some of our testcases at<br>
<br>
<a href="https://github.com/libreswan/libreswan/blob/master/testing/pluto/xauth-pluto-05/road.conf" rel="noreferrer" target="_blank">https://github.com/libreswan/l<wbr>ibreswan/blob/master/testing/p<wbr>luto/xauth-pluto-05/road.conf</a><br>
<br>
I'll update our wiki soon to include a proper xauth libreswan client<br>
configuration.<span class="HOEnZb"><font color="#888888"><br>
<br>
Paul<br>
<br>
<br>
</font></span></blockquote></div><br></div>